Have I been pwned API | is it safe to use?

If you found this article interesting consider sharing it!

With the recent breaches and leaks, it might be a good idea to integrate the have i been pwned api into a login or register form. This way, users can be notified if they’re password/ email has known leaks.

But is it safe and worth it?


The API provides you with the information from the have i been pwned website, regarding your password and email.

Since the API was abused in the past, Troy Hunt decided to make it a payed API, which costs ~ 3.50$/Month.

First, you’ll need to create a key. To make this, head over to the api key page and enter your email.

have I been pwned API key page

You’ll receive an e-mail with a verification link. When clicking on a link, you’ll be redirected to a page, where you can enter your payment information.

have I been pwned payment

After paying and receiving a key, you can use the API with the provided documentation.

Is the have I been pwned API safe to use?

Checking against a known list of breaches is recommended according to the NIST (SP 800-63b Section; see here or here for a summary). And since the API only checks the first 5 Chars of the password hash, it should be OK to use.

In other words, the have I been pwned API is safe to use, since you’ll not be sending crucial information/data to a third party.

Why is not everybody using it then?

As mentioned before, the API comes with a monthly cost. And I’m not only talking about the 3.50$/month, but also the cost of development and maintenance.

Some developer or engineer will need to implement it, read the docs, find out how it works, etc… And once the API changes, he has to do some maintenance work.

And as usual security (like backups) are not a top priority in most corporate environments, until an incident happens. Additionally, companies often are late to implement best practices, and this seems to be a “relatively” new one.

For most hobbyist and maybe start-ups, maybe even the 3.50$ are too much.

So the best thing you can do now if you don’t want to use the API, or your employer won’t allow it, is to define a strong password guideline and enforce it.

(Or maybe use an alternative one?)

If you found this article interesting consider sharing it!